» ISP News » 
Sponsored Links

Google, UK ISPs and Gov Battle Over Encrypted DNS and Censorship

Monday, Apr 22nd, 2019 (9:49 am) - Score 11,107

The UK Government, broadband ISPs and the National Cyber Security Centre (NCSC) are set to meet on the 8th May 2019 in order to discuss Google’s forthcoming implementation of encrypted DNS (DoH – DNS over HTTPS), which politicians fear could break their internet censorship plans.

The existing Domain Name System (DNS), which works to convert Internet Protocol (IP) addresses into a human readable form (e.g. to examplefakeblah.co.uk) and back again, is currently unencrypted and usually managed automatically by your ISP. This gives providers a lot of control over related traffic and enables various support features (Parental Controls, network performance testing etc.).

By comparison DNS over HTTPS (DoH) sends DNS requests via the encrypted HTTPS protocol and some major website browsers, such as Chrome (Google) and Firefox (Mozilla), are planning to introduce their own DoH solution. The result could be that ISPs lose a lot of their control over DNS, which would break some of their services including DNS based website blocking (e.g. the new porn site blocks will use DNS based censorship).

At this point we should remind readers that ISPreview.co.uk covered this topic in a lot more detail earlier this month (here), which is worth a read if you want to understand why the big ISPs have concerns about DoH; despite it effectively being a security improvement for consumers.

According to The Sunday Times, the Government are particularly concerned about the impact that all of this could have on their wider plans for internet censorship (i.e. not just breaking their porn block but also disrupting future ambitions under the Online Harms White Paper).

One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage (note: they can already do this without DoH), which they say might be held by Google under Californian law.

At this point we rather suspect that a collective “meh..“, possibly followed by some distinct shoulder shrugging, will be emanating from anybody with moderate I.T. experience. This is because DNS based blocking has always been easy to circumvent and consumers have always had the ability to adopt a third-party DNS provider (OpenDNS, Google Public DNS etc.).

One key difference here, other than encryption, is that Chrome and Firefox could make their own DoH solutions the default (so far neither have done so – it’s still optional, for now). Similarly if third-parties want to adopt DoH then there’s precious little that ISPs can do about that, save for perhaps making more extensive use of expensive Deep Packet Inspection (DPI) technology, but even this has its limits and problems.

Meanwhile the question that consumers may end up having to ask themselves is whether or not they’d rather let ISPs have access to their DNS data or Google/Mozilla. It’s also worth considering that many other third-parties may launch their own default DoH solutions in the future, which may further complicate matters. Some of the DNS based support features offered by ISPs are also quite useful, thus breaking them with DoH isn’t always desirable (likely to give ISP support teams a complex headache).

Suffice to say, it would be interesting to be a fly on the wall at next month’s meeting.

By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
31 Responses
  1. Avatar photo Joe says:

    “One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage ”

    Nice juxtaposition. The gov want to monitor browsing habits but fane outrage at others theoretically doing the same. While google data collection might be a risk doubtless others will deliver anonymised E-DNS

    1. Avatar photo CarlT says:

      There are quite a few things we permit government to do but would resist handing over to the private sector.

    2. Avatar photo Joe says:

      That might be true but there is hypocracy in the gov attacking the privacy issues with private dns while wanting to breach the same privacy.

    3. Avatar photo CarlT says:

      Not really. That’s what government does. You pay your taxes to government that’s normal, another private citizen tries to tax you that’s extortion.

      It’s actually quite legitimate to be concerned about Google processing data under California state law. UK and EEA entities have to obey GDPR.

      It’s pretty rich coming from the state that’s second only to China in CCTV per capita but is not unreasonable.

    4. Avatar photo Joe says:

      In most cases the Gov is bound by the same data regs as private entities. It just doesn’t like it which is why it so regularly loses court cases by breaching data protections.

      Not that I’m a fan of GDPR – its monumentally dim legislation.

    5. Avatar photo D says:

      I’d rather Google has my data than UKgov. UKgov has no interest in anything other than a token effort to secure our data. They are acting how a fascist state does, taking your privacy and your voice in the interests of security in a manner akin to using a nuke to crack a nut – it is that proportional.

      Google / Alphabet has a vested interest is protecting your data and their entire business model is intrinsically tied to it being secure.

      Let’s see who we should trust here? a government with a lousy track record for record keeping, corruption and inane decisions to cripple freedom and privacy, or do we trust a major business who’s entire business model is entirely and exclusively about keeping your data secure from 3rd party access and a track record to prove it?

      I know where my data is safest and the current law changes are no different to Tony Blair when he tried to kill off habeas corpus and the Bill of rights in an attempt to weaken our freedoms and rights.

  2. Avatar photo Mike says:

    Anything that inhibits state overreach can only be a good thing.

  3. Avatar photo CarlT says:

    If filters are based around Cleanfeed and equivalents encrypted DNS isn’t really worth that much.

    That tech uses IP addresses to select traffic for further inspection and DPI on that subset can be used.

    If someone is accessing a site whose certificate indicates it is pornography it’s a fair bet the site in question is pornographic. This can be done in less than 10 packets per flow.

    Can hide the DNS, can’t hide the Common Name in the certificate.

    1. Avatar photo Joe says:

      Obviously it covers off DNS leaks with various proxies/vpns and the like

    2. Avatar photo Kevin says:

      “Can hide the DNS, can’t hide the Common Name in the certificate.”
      I believe TLS 1.3 deals with that too, as I though the exact same thing initially. The only thing which can’t be hidden is the IP address of the server…

    3. Avatar photo Joe says:

      Correct it encrypts the certificate.


    4. Avatar photo CarlT says:

      Server Name Indication?

      Saves waiting for the certificate from the server. Have the client send the address it’s looking for over the datapath to the server.

      Aware that a fully encrypted standard, ESNI, is in progress. It will be interesting to see what the next step in eavesdropping is once this is widely implemented.

      For the curious this gives a couple of ways that a client can get keying material to encrypt the TLS handshake. DNS is one of those so it’s a great fit for DNS over HTTPS.

    5. Avatar photo CarlT says:

      Yes, read it. Thank you, both.

  4. Avatar photo Karen Cookson says:

    I think this article covers a lot of the conundrums

    Perhaps if the browsers give the users an ability to choose a different DoH resolver, then a lot of peoples concerns of “all in the hands of Google” would be somewhat dissipated.

    1. Avatar photo Joe says:

      karen: Individual apps do that anyway, indeed various browsers allow manual DNS setting or default options setting aside the OS itself. Many VPNs take over DNS requests

    2. Avatar photo Joe says:

      For example: Just about:config in firefox and then add any of these:


    3. Avatar photo captain.cretin says:

      I havent used my various ISPs DNS servers since last century (dial-up). My router is set to use TWO different services, on the off-chance one goes down.

  5. Avatar photo Numpty Power says:

    Given the fact history in this country shows when ISPs and our government lose private information of job public or worse when it comes to government security information and equipment and it then takes them ages to admit it, i know who i would sooner have my “browsing habits and device usage” information out of them and Google.

    Sure the likes of Google and the like also stuff up but they actually try to fix things when things go wrong.

    I would not trust Talk Talk and their previously hacked systems or BT and its history of Cleanfeed and similar with no notification (only admitting it when caught out).

    As for our own inept governments of the past 30 or so years who have as some highlights have lost hundreds of computers and left things like documents about Al-Qaida and Iraq on a train. The government even trying to convince me this is about security in any way, rather than them controlling the internet is laughable.

    “…Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage”

    Perhaps whoever that clown was should be more concerned about departments like the MOD, who regularly lose ammunition, computers, phones, explosives and detonators. YES really folks.

    My only hope is Google do not go all Snowflake as they do too often and cave to whatever stupid demands our government make.

  6. Avatar photo Bob2002 says:

    If people are genuinely concerned about DNS records being collected they should probably set their router up to use a VPN anyway – decent VPN providers are pretty cheap so there isn’t really much of a barrier to doing this.

  7. Avatar photo Moses Jonson says:

    I’d none of them had my data like that, UKgov will abuse that data and google well google is google, ut to be perfectly clear, what the Ukgov is trying to pull off (in the end will fail). We’ll have to wait and see how this whole process will play out (looks like a pandora box mess) waiting to explode on the table of UkGov, just like universal credit.

  8. Avatar photo Andy M says:

    Don’t know about Chrome’s implementation yet but Firefox uses Cloudflare for DoH resolution. Therefore this doesn’t give Mozilla any more visibility of users DNS requests than it did before, as is being implied here that they would be handling the DNS requests in DoH. Cloudflare’s DNS server is also known for making privacy a priority.

    1. Avatar photo Some says:

      Cloudflare loves Privacy? Ha-ha… Microsoft loves Linux, I remember.
      Try to use Tor to love Cloudflare and Privacy at the same time.

  9. Avatar photo Freman says:

    There are already ways to hide this traffic, but won’t somebody please think of the children?!?!!!

    Typical BS and rhetoric from the government.

    There exists tools to let you mix your ISP and 3rd party DNS solutions so you can have secure DNS for 99 percent of everything and keep your ISP’s DNS magic for whatever they’re providing if you want.

    If you have nothing to hide, you’ve got nothing to fear, right? Well how about the government let us check out their DNS queries?

    1. Avatar photo Jordan says:

      They are claiming terrorists and pedophiles won’t be as easy to track but they already aren’t as the clever ones will be using tools to hide their online activity including VPN. People have always stood by and accepted the government’s excuse that they need to monitor and record internet traffic, invading privacy to prevent crime, when most of the criminals are invisible already as they are the ones using VPN and other secure means of access.

  10. Avatar photo Mr Hardon says:

    A random thought: surely a browser defaulting to its own encrypted dns would also break internal DNS services

  11. Avatar photo CarlT says:

    I’ll be keeping an eye on Pi Hole’s progress in this regard. It’s served me beautifully at home so far.

  12. Avatar photo t0m5k1 says:

    Could not care less and TBH, I’m glad they’re in a tailspin over it as it shows how clueless they really are to all this.

  13. Avatar photo Mml says:

    Looks like Sky already acted and blocked ANY third-party DNS in its latest Hub firmware update. What do you say?

  14. Avatar photo Gregory Sabin says:

    BT have said on there messaging service that ipv6 is not supported for consumers I am using my own billion bipac 8800nl router on adsl can anybody tell me if what bt have said is correct I had entered the Google open fans settings in the advanced settings but when I tested it it said no ipv6 found

  15. Avatar photo Gregory Sabin says:

    I meant Google open dns sorry

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
Gift: None
Community Fibre UK ISP Logo
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5516)
  2. BT (3515)
  3. Politics (2538)
  4. Openreach (2297)
  5. Business (2262)
  6. Building Digital UK (2245)
  7. FTTC (2044)
  8. Mobile Broadband (1973)
  9. Statistics (1788)
  10. 4G (1664)
  11. Virgin Media (1619)
  12. Ofcom Regulation (1461)
  13. Fibre Optic (1395)
  14. Wireless Internet (1389)
  15. FTTH (1381)

Helpful ISP Guides and Tips


Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact